|
| 1 | +The flow of the functionality. |
| 2 | + |
| 3 | +## Registation |
| 4 | +* Each signer generates a key pair to be used for EdDSA. |
| 5 | + * The secret key is an element of the scalar field $\mathbb{F}_r$ of the Jubjub elliptic curve. |
| 6 | + * The public key is an affine point on Jubjub curve. It is of the form `(u, v)`. The coordinates are elements of the scalar field $\mathbb{F}_q$ of the BLS12-381 elliptic curve construction. |
| 7 | +* Signers share their public keys with the registration authority. |
| 8 | +* Registration authority collects the `u` coordinates of all the public keys in a list. |
| 9 | +* The aggregated public key is generated by hashing the list that includes `u` coordinates of all the public keys. |
| 10 | + * The hash output is an element of the base field $\mathbb{F}_q$ of the Jubjub elliptic curve construction. |
| 11 | + |
| 12 | +## Signing |
| 13 | +Each signer generates a Schnorr signature and does the following: |
| 14 | +* Announcement: |
| 15 | + * Generate a random scalar on the scalar field $\mathbb{F}_r$ of the Jubjub elliptic curve. |
| 16 | + * Multiply the random scalar with the generator. |
| 17 | + * The generator is an `ExtendedPoint` of the form `(U, V, Z, T1, T2)`. |
| 18 | + * So, we convert the multiplication result to an `AffinePoint` of the form `(u, v)`. |
| 19 | +* Challenge: |
| 20 | + * Create a list including |
| 21 | + * `x` coordinate of the announcement, |
| 22 | + * `x` coordinate of the public key, |
| 23 | + * The message. |
| 24 | + * Note that, `x` coordinate mentioned above is equivalent to the `u` coordinate. Therefore, all the components of the list are elements of the scalar field $\mathbb{F}_q$ of the BLS12-381 elliptic curve construction. |
| 25 | + * Generate the hash of the list. |
| 26 | + * The hash output is an element of the base field $\mathbb{F}_q$ of the Jubjub elliptic curve construction. |
| 27 | +* Response: |
| 28 | + * The response is the addition of the random scalar we used to generate the announcement, the secret key, and the challenge. |
| 29 | + * Note that the random scalar and the secret key are the elements of $\mathbb{F}_r$, but the challenge is an element of the base field $\mathbb{F}_q$. We need to reduce the challenge, so that we can do the addition. |
| 30 | + * Reduce the challenge to $\mathbb{F}_r$. |
| 31 | + * Do the addition. |
| 32 | +* Output: |
| 33 | + * Return the announcement which is an `AffinePoint` of the form `(u, v)` and the response which is a scalar, an element in $\mathbb{F}_r$. |
| 34 | + |
| 35 | +## Aggregation |
| 36 | +* The aggregator receives signatures sent by the signers and collects the threshold-many of them in a list as the aggregate signature. |
| 37 | + |
| 38 | +## Verification |
| 39 | +* The verifier receives: |
| 40 | + * signatures: Schnorr signatures including an `AffinePoint` of the form `(u, v)` and the response which is a scalar, an element in $\mathbb{F}_r$. |
| 41 | + * pks: The list of all public keys. The public keya are affine points of the form `(u, v)` on Jubjub curve. |
| 42 | + * commited_pks: The aggregated public key, an element of the base field $\mathbb{F}_q$ of the Jubjub elliptic curve construction. |
| 43 | + * msg: The message is an element of the base field $\mathbb{F}_q$ of the Jubjub elliptic curve construction. |
| 44 | + * threshold: The threshold is in the form of an element of the base field $\mathbb{F}_q$ of the Jubjub elliptic curve construction. |
| 45 | +* Collects the `x` coordinates of the all public keys in a list and generates a hash of the list. |
| 46 | + * The hash output is an element of the base field $\mathbb{F}_q$ of the Jubjub elliptic curve construction. |
| 47 | +* Checks whether the hash output is equal to the committed_pks. |
| 48 | +* Iterates though the signatures and the public keys and verifies each signature with respect to the message and the corresponding public key. |
| 49 | +* Counts the number of valid signatures. |
| 50 | +* Verifier accepts if |
| 51 | + * The list of public keys produce the committed_pks and |
| 52 | + * There are threshold-many valid signatures. |
0 commit comments